DAMTP-1999-51 



juant-ph/9910087 



Unconditionally Secure Commitment of a Certified Classical Bit is Impossible 



a^ 
a^ 

> 

o 

m 

(N 
> 

oo ■ 
O' 

o: 

OS 

Oh: 



X 



Adrian Kent 

Department of Applied Mathematics and Theoretical Physics, University of Cambridge, 

Silver Street, Cambridge CB3 9EW, U.K. 

(October 20, 1999) 

In a secure bit commitment protocol involving only classical physics, A commits either a 
or a 1 to B. If quantum information is used in the protocol, A may be able to commit a state 
of the form a\0) + /3|1). If so, she can also commit mixed states in which the committed bit is 
entangled with other quantum states under her control. We introduce here a quantum cryptographic 
primitive, bit commitment with a certificate of classicality (BCCC), which differs from standard bit 
commitment in that it guarantees that the committed state has a fixed classical value. We show that 
no unconditionally secure BCCC protocol based on special relativity and quantum theory exists. 
We also propose complete definitions of security for quantum and relativistic bit commitment. 

PACS numbers: 03.67.-a, 03.67.Dd, 89.70.+C 



I. INTRODUCTION 

The discovery of secure quantum key distribution R] 
and other applications of quantum information raises 
the question: which cryptographic tasks can be guaran- 
teed secure by physical principles? One task which has 
been extensively investigated is bit commitment (BC), an 
important cryptographic primitive with several applica- 
tions. In this note, we distinguish between standard bit 
commitment and a stronger task, bit commitment with a 
certificate of classicality. We show that, while the former 
can be guaranteed secure by physical principles, the lat- 
ter cannot. We also propose complete definitions of var- 
ious types of physical security for bit commitment and 
related tasks. 



II. PHYSICAL SECURITY 

In the most commonly considered cryptographic sce- 
nario, A and B each occupy disjoint laboratories which 
are treated as effectively pointlike. Each trusts the in- 
tegrity of their own laboratory but nothing outside; in 
particular, neither trusts the other to accurately declare 
their location. Under these assumptions, special rela- 
tivistic signalling constraints cannot be relied on for se- 
curity, and the parties are effectively restricted to pro- 
tocols involving sequentially exchanged messages, each 
party waiting to receive one message before sending the 
next. 

Special relativistic signalling constraints can, though, 
play a valuable role in ensuring security in cryptographic 
scenarios in which each party controls laboratories in two 
separate locations |l3] . While these laboratories must be 
near to mutually agreed coordinates, this can be tested 



within a given protocol: no trust between the parties is 
required. 

We will neglect the possibility of cryptographic proto- 
cols whose security relies on general relativity, on quan- 
tum field theory as opposed to quantum mechanics, on 
the details of the standard model, and so on. Similarly, 
we neglect the possibility of physically based attacks rely- 
ing on properties of these theories. No practical protocols 
or attacks of these types have so far been suggested. 

So far as physical security is concerned, then, cryp- 
tographic tasks can presently be classified according to 
whether they can be securely implemented by using clas- 
sical information and relying on special relativity, by us- 
ing quantum information and neglecting special relativ- 
ity, or by relying both on the properties of quantum infor- 
mation and on special relativity, or whether they cannot 
be securely implemented at all. We can divide crypto- 
graphic protocols into the following classes. A classical 
protocol relies on the exchange of classical information, 
while a quantum protocol allows quantum information 
exchange. In a non- relativistic protocol, the signalling 
constraints imposed by special relativity are neglected, 
usually because they make no essential difference to the 
protocol's security. In a relativistic protocol, special rel- 
ativity is taken as the underlying theory, and the parties 
are located so that relativistic signalling constraints play 
a crucial role by ensuring that some communications be- 
tween them are generated independently. 

Similarly, a classical attack on a protocol is a cheating 
attempt by one party which involves diverging from the 
defined protocol and which can be described by standard 
non-relativistic or special relativistic classical physics — 
i.e. without using quantum information. A quantum at- 
tack involves the transmission and/or manipulation of 
quantum information. 



III. BIT COMMITMENT: DEFINITIONS AND 
RESULTS 



We now recall the definitions of secure bit commitment 
in classical cryptology. In a classical BC protocol A and 
B exchange classical data in such a way that B obtains an 
encoding of a bit from A. A need not necessarily know 
which bit she has encoded: she could build a random 
bit generator and encoder and not inspect its operations. 
But if she follows the protocol, either or 1 is committed, 
even if she does not know which. For the protocol to be 
classically perfectly secure against B, it must guarantee to 
A that B cannot gain any information about a committed 
bit until A chooses to reveal it. For it to be classically 
perfectly secure against A, it must guarantee to B that 
a committed bit is genuinely fixed between commitment 
and revelation. That is, there must not be a cheating 
method allowing A any chance of revealing the opposite 
bit to that committed. More precisely (since A might 
have sent nonsense) , perfect security requires that unless 
A committed a bit a via the protocol, her probability of 
later revealing a should be zero. 

A security parameter in a BC protocol is a positive in- 
teger parameter, N, such that security can be increased 
by increasing N. The protocol is classically secure mod- 
ulo certain assumptions if, when the assumptions hold, 
the probability of A successfully cheating by classical at- 
tacks and the information available to B about the bit 
before revelation can simultaneously be made arbitrarily 
small by taking N sufRciently large It is unconditionally 
classically secure if its security is guaranteed if classical 
physics (in the case of relativistic protocols, special rela- 
tivistic classical physics) is valid. 

In a quantum BC protocol, it may be possible for A to 
commit a bit in an improper mixed state q;|0)(0|+/?|1)(1|, 
by entangling the committed state with another state 
kept under her control. She can do this, for example, 
by building a quantum computer which is programmed 
to follow the protocol for either of the orthogonal in- 
put states |0) or |1) and inputting a superposition. If 
she does so after entangling a second system | )a with 
the input bit, by preparing q;|0)|0)a -I- /?|1)|1)a, she can 
keep this second system under her control throughout the 
commitment, carry out a measurement of the observable 
with eigenbasis |0)^, 11)^1 just before revelation, and then 
reveal either a or a 1 to B depending on the measure- 
ment result. This possibility, whose security implications 
were first pointed out and investigated by Brassard et al. 
PI, is not considered a security failure of a quantum 
BC protocol per se, although it can open up new cheat- 
ing possibilities for A if the protocol is part of a larger 
cryptographic scheme. 

So, we need revised definitions of security for quan- 
tum bit commitment. Complete definitions of security 
for non-relativistic quantum BC does not seem to have 



been set out yet, no doubt partly because it is known 
|g,0Jl^J|,g] that, under any reasonable definition, un- 
conditional security is unattainable for non-relativistic 
quantum BC protocols. However, precise definitions 
are needed to discuss security based on computational 
bounds for quantum BC and to discuss the security of 
relativistic quantum BC protocols. We propose defini- 
tions of security for non-relativistic quantum BC below, 
and extend them to the relativistic case. 

For a non-relativistic quantum BC protocol to be per- 
fectly secure against B, it must guarantee to A that B 
can obtain no information about a committed bit until A 
chooses to reveal it. For it to be perfectly secure against 
A, it must guarantee to B that A cannot act between 
commitment and revelation so as ever to obtain some 
chance of choosing between revealing and 1. More pre- 
cisely, define po {t) be the probability of A revealing to B 
a without giving him evidence that she has violated the 
protocol, assuming that from time t onward she follows a 
strategy that maximizes her chances of doing so. Define 
Pi{t) similarly. Let p{t) ^ po{t) +pi{t). Assume that B 
knows the commitment phase has ended at i = 0. Then 
B must be guaranteed that, however A acts after t = 0, 
it must always be the case that p{t) < 1 for all t > 0. 

A security parameter for a quantum BC protocol is a 
variable positive integer parameter, N^ such that security 
can be increased by increasing N. More precisely, we say 
a non-relativistic quantum BC protocol is secure modulo 
certain assumptions if, when the relevant assumptions 
hold: 

(i) A is guaranteed that the information available to B 
during the protocol about the bit to be revealed can be 
bounded by e. 

(ii) B is guaranteed that, for every possible strategy 
of A's, the a priori probability of her making p{t) > 1, 
for any i > 0, is uniformly bounded, whenever B is per- 
suaded at i = that A has followed the commitment 
phase of the protocol. I.e., for any e' > 0, there is an e" 
such that, regardless of the A's strategy, 

Prob(sup,>o(p(i))>l + e') < e" • 

(Hi) For any e' > 0, e and e" can simultaneously be 
made arbitrarily small by increasing the security param- 
eter. 

A non-relativistic quantum BC protocol is uncon- 
ditionally secure if its security is guaranteed if non- 
relativistic quantum mechanics is valid. 

For relativistic quantum BC protocols, we use simi- 
lar definitions. There must be some spacetime point P 
at which B is persuaded that A is committed. For any 
space-time point Q, let PC{Q) be the past light-cone of 
Q and PC{Q) be the rest of spacetime. We now define 
PoiQ) to be the probability of A revealing to B a with- 
out giving him any evidence that she has violated the 
protocol, assuming that in PC{Q) she follows a strat- 
egy that maximizes her chances of doing so, and pi{Q) 



similarly, and set p{Q) — Po{Q) + Pi{Q)- For perfect 
security we then require that, if B is persuaded of a com- 
mitment at P, then however A acts in PC{P), we must 
have p{Q) < 1 for all Q in PC{P). The definitions of 
security modulo assumptions are modified similarly. A 
relativistic quantum BC protocol is unconditionally se- 
cure if its security is guaranteed if quantum mechanics 
and special relativity are valid. 

All non-relativistic classical BC schemes are in prin- 
ciple insecure, though very good practical security can 
presently be attained. Several quantum BC schemes have 
been proposed (^j-Q. Again, for practical purposes, these 
schemes generally offer very good security at present. 
However, in principle they are insecure. More generally, 
it was shown independently by Lo and Chau g,g] and 
by Mayers [pJlZlJlOfl that no non-relativistic quantum BC 
schemes can be perfectly secure against both Bob and Al- 
ice. The restriction to non-relativistic schemes, though 
not made clear in the cited papers, is crucial. 

The Lo-Chau-Mayers result was extended by Mayers 
P,[7|JlO|] to give a proof of the general impossibility of un- 
conditionally secure quantum bit commitment. Again, 
it should be noted that, despite initial suggestions to the 
contrary pi , Mayers' proof applies only to non-relativistic 
schemes [ 1^,|^ . We refer here to the result that uncondi- 
tionally secure non-relativistic quantum bit commitment 
is impossible as the NRQBC no-go theorem. 

More recently, several relativistic classical BC proto- 
cols have been proposed | p^ , p^ . These schemes are evi- 
dently secure against classical attacks and are all conjec- 
tured to be secure against quantum attacks. Though the 
first protocol proposed ||12| requires an exponentially in- 
creasing communication rate for its implementation, the 
later protocols ||l^ can be implemented indefinitely over 
communication channels of fixed capacity. No sharp op- 
timality results are known; further refinements can un- 
doubtedly be made. Our aim here, though, is not to 
examine the situation regarding BC protocols in more 
detail, but to consider BCCC protocols. 



IV. BIT COMMITMENT WITH A CERTIFICATE 
OF CLASSICALITY 



For many purposes, it would be desirable to have a 
BC protocol which is guaranteed to behave like a classi- 
cal protocol, preventing A from exploiting the dangerous 
possibility mU of committing a bit state which remains 
entangled. Formally, we define bit commitment with a 
certificate of classicality (BCCC) to be a bit commitment 
in which the revelation of a bit a guarantees that this 
particular bit was originally committed by A. This docs 
not necessarily imply that A was aware of the value of a. 
As with ordinary BC, she could arrange to remain igno- 
rant, for instance by using a classical randomising device 



to prepare a proper mixed state and not inspecting the 
device. 

We say a BCCC protocol is perfectly secure against B 
if it guarantees to A that B can obtain no information 
about the committed bit until A chooses to reveal it. 
We say it is perfectly secure against A, if a revelation by 
A guarantees to B that the revealed bit was previously 
committed: i.e., by some point in the protocol, a valid 
commitment by A corresponds to her having input one 
of the states |0), |1) into some device which generates her 
transmissions to B during the remainder of the protocol, 
and a valid revelation of a guarantees to B that (pre- 
cisely) the state \a) was input at that point. As in the 
case of BC protocols, it must be possible to continue the 
commitment for arbitrarily long between this point and 
the moment of revelation. 

A security parameter N for a BCCC protocol is defined 
essentially as for a BC protocol. Thus, we say a BCCC 
protocol is secure modulo certain assumptions if, when 
the assumptions hold, a revelation of a guarantees that, 
with probability 1 — e, the fidelity of A's input state to 
the state \a) differed from 1 by no more than e', while the 
information available to B about the bit during the proto- 
col is no more than e", where e, e', e" can simultaneously 
be made arbitrarily small by taking N sufhciently large. 
A non-relativistic BCCC protocol is unconditionally se- 
cure if its security is guaranteed if quantum mechanics 
is valid. A relativistic BCCC protocol is unconditionally 
secure if its security is guaranteed if quantum mechanics 
and special relativity are valid. 



V. UNCONDITIONALLY SECURE BCCC IS 
IMPOSSIBLE 

The main point of this paper is to show that no un- 
conditionally secure BCCC protocol, relativistic or other- 
wise, exists. We first give the proof, and then comment. 

It is enough to show that no unconditionally secure 
relativistic protocol exists. We prove this by contradic- 
tion. Suppose that some unconditionally secure BCCC 
protocol existed. Such a protocol might require A and 
B to occupy many sites, say Ai, ....,Am and i3i, ....,i?„. 
Their locations may be time-dependent, provided that 
the relevant worldlines are timelike and that A and B's 
sites are always disjoint. We add a further constant ve- 
locity site Bq for B, and use its stationary frame to define 
the time coordinate. Now suppose that A and B agree a 
large number M, a much larger number Nq >> M, and 
a large value Ni for the security parameter. They also fix 
times of transmissions between their sites so as to run si- 
multaneously 2N[) BCCC protocols. A chosen randomly 
and independently 2Nq bits, and commits those bits to 
B in the BCCC protocols. 

Regardless of the relative separations of the sites, B can 
establish some time tc after the start of the protocols at 



which Bq knows that, if A has followed the BCCC proto- 
cols correctly, she is now committed (to the extent that 
the security parameter prescribes) . A is then required to 
send Bq, after time tc, a sequence of A^o spin 1/2 particles 
in one of the four spin states | t), | i), | <— ), I — >)• (The 
first two are eigenstates of (Jz; the last two of cr,,;-) This 
sequence is supposed to be correlated with the sequence 
of Nq pairs of BCCC protocols given by the first two, the 
second two, and so on. In each case, if the committed 
bits are respectively (0,0), (0,1), (1,0), (1,1), the state 
sent is supposed to be | t), | i),\ *—),\ ~^)- 

Once Bq has received and stored the Nq states, he ran- 
domly picks {Nq — M) of them, and sends a message to 
A asking her to reveal the corresponding commitments. 
Some time tr > tc is fixed such that the revealed bits are 
communicated back to Bq from the Bi by time tr. Bq 
then checks that the revealed bits do indeed characterise 
the spin-1/2 particle states, by carrying out measure- 
ments in the appropriate basis for each of the (A''o — M) 
particles. If the tested particles pass these checks, B ac- 
cepts that the remaining M particles are also (to very 
good approximation) in pure, unentangled eigenstates of 
ax or (T^. The corresponding 2M BCCC protocols play 
no further role, and are now suspended, without A re- 
vealing the corresponding bits to B. 

A can now commit a single bit a to B via the following 
BC protocol. Each of the M untested spin-1/2 particles 
is (to good approximation) in a a^ or ax eigenstate. Each 
of these states is known to A but not to B. We let the 
variable & be a; or z, and b the alternative. For a particle 
in a at eigenstate, A declares that, if the committed bit is 
a, the particle is a at eigenstate, while if the committed 
bit is a, the particle is a a^ eigenstate. 

As the committed bits in the BCCC protocols were 
random, these declarations give B no information about 
the bit a. But, since the BCCC protocols ensured that 
A would almost certainly have been detected cheating 
unless she sent the particles in (nearly) pure ax or cr^ 
eigenstates, this BC protocol does indeed commit her to 
a. If she follows the protocol, she can reveal a by giving 
B the list of spin states, which he can check by measure- 
ments in the appropriate bases. But if she is dishonest, 
for one of the two possible commitments, say a/, at least 
A//2 of declarations are false. Her probability of per- 
suading B that the committed bit was a/, by producing 
for him a list of spin states which pass his tests, is ap- 
proximately (1/2)^^/^. I.e., for sufficiently large values 
of AI and the other parameters, B will almost certainly 
detect a cheating attempt. 

Now, if the BCCC protocols were unconditionally se- 
cure, then the ensuing BC protocol is also uncondition- 
ally secure. In other words, by combining these pro- 
tocols into one, we have an unconditionally secure rel- 
ativistic BC protocol with the property that after a fi- 
nite number of transmissions the commitment is com- 
plete. While unconditionally secure relativistic BC pro- 



tocols exist ||lj,|lj , these protocols require that transmis- 
sions continue indefinitely up to revelation. The same 
argument used to establish the NRQBC no-go theorem 
[|7|,[lO|J^Jq| shows that no finite unconditionally secure rela- 
tivistic BC protocol exists. Hence unconditionally secure 
BCCC is impossible. 



VI. DISCUSSION 

This result re-emphasizes that classical cryptographic 
relations cannot naively be transferred into the quantum 
realm. In classical cryptology, non-relativistic or rela- 
tivistic, there is no distinction between BC and BCCC: in 
quantum relativistic cryptology, BC can be implemented 
with unconditional security, while BCCC cannot. 

A less direct argument for the impossibility of un- 
conditionally secure BCCC follows from results of Yao 
|l4| , which imply that unconditionally secure oblivious 
transfer (OT) could be built from unconditionally secure 
BCCC. Since non-relativistic BC can straightforwardly 
be constructed from OT, we again reach a contradiction 
with the NRQBC no-go theorem. 

Note, finally, that while unconditionally secure BCCC 
is impossible, BCCC schemes with security based on 
computational assumptions are certainly possible. Most 
standard classical BC schemes that are perfectly secure 
against A — for example, those based on factorisation 
or obtaining a discrete logarithm — have this property. 
An interesting recent quantum BC proposal by Salvail 
|l5| also has this property. It would be very interesting 
to understand whether BCCC schemes can be built with 
security based on assumptions which can confidently be 
relied upon in a future quantum technological era. 

Acknowledgments 

I thank the Royal Society for financial support and 
the Oxford Centre for Quantum Computation for much 
appreciated hospitality. I am very grateful to Gilles Bras- 
sard, Claude Crepeau, Dominic Mayers, Louis Salvail for 
helpful discussions. 



[1] S. Wiesner, SIGACT News 15 (1983) 78. 

[2] C. H. Bennett and G. Brassard, in Proceedings of IEEE 
International Conference on Computers, Systems and 
Signal Processing (IEEE, New York, 1984), p. 175. 

[3] G. Brassard, C. Crepeau, R. Jozsa and D. Langlois, in 
Proceedings of the 34th Annual IEEE Symposium on the 
Foundation of Computer Science (IEEE Comp. Soc, Los 
Alamitos, California, 1993), p. 362. 

[4] G. Brassard and C. Crepeau, in Advances in Cryptol- 
ogy: Proceedings of Crypto'90, Lecture Notes in Com- 



puter Science Vol 537 (Springer- Verlag, Berlin, 1991), 

p. 49. 
[5] H.-K. Lo and H. Chau, Phys. Rev. Lett. 78 (1997) 3410. 
[6] D. Mayers, Phys. Rev. Lett. 7 8 (1997) 3414. 



[12] 
[13] 



quant-ph/9806031 . 

A. Kent, Phys. Rev. Lett. 83 (1999) 1447-1450. 

A. Kent, Secure Classical Bit Commitment over Finite 



[7] D. Mayers, quant-ph/96030H 



[8] H.-K. Lo and H. Chau, Physica D 120 (1998) 177. 
[9] H.-K. Lo, Phys. Rev. A 56 (1997) 1154. 
[10] D. Mayers, in Proceedings of the Fourth Workshop on 
Physics and Computation (New England Complex Sys- 
tem Inst., Boston, 1996), p. 226. 
[11] G. Brassard, C. Crepeau, D. Mayers and L. Salvail, 



Channels, quant-ph/990610J , submitted to J. Cryptol- 

ogy- 

[14] A. Yao, in Proceedings to the 26th Symposium on the 
Theory of Computing, June 1995, pp. 67-75. 

[15] L. Salvail, in Proceedings of Crypto'98, Lecture Notes 
in Computer Science Vol 1462 (Springer- Verlag, Santa- 
Barbara, 1998) pp. 338-353. 



